X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=includes%2Fauth%2FLocalPasswordPrimaryAuthenticationProvider.php;h=86a6aae0aba4e31070ccfed37544ef5f7e9c9940;hb=d503ac7c9433a36358b1db27c6365167ea869832;hp=fd36887c0620aee1abe322366720b3fda8abc22d;hpb=8bb5a6c461c31ee5ce6874548246fc2c520686f6;p=lhc%2Fweb%2Fwiklou.git

diff --git a/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php b/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php
index fd36887c06..86a6aae0ab 100644
--- a/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php
+++ b/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php
@@ -96,7 +96,10 @@ class LocalPasswordPrimaryAuthenticationProvider
 			__METHOD__
 		);
 		if ( !$row ) {
-			return AuthenticationResponse::newAbstain();
+			// Do not reveal whether its bad username or
+			// bad password to prevent username enumeration
+			// on private wikis. (T134100)
+			return $this->failResponse( $req );
 		}
 
 		$oldRow = clone $row;
@@ -297,7 +300,7 @@ class LocalPasswordPrimaryAuthenticationProvider
 				// Nothing we can do besides claim it, because the user isn't in
 				// the DB yet
 				if ( $req->username !== $user->getName() ) {
-					$req = clone( $req );
+					$req = clone $req;
 					$req->username = $user->getName();
 				}
 				$ret = AuthenticationResponse::newPass( $req->username );